A new malware dubbed Plurox spread itself over the local network using EternalBlue exploit and let attackers gain access to the network to install miners and other malware on the victim’s machine.
The malware is modular, which means; attackers can expand its functionality by adding additional plugins, as required.
Kaspersky researchers discovered the malware in February, it was written in C and compiled with Mingw GCC. Communication with C&C server established through TCP protocol and the plugins are loaded with interfaced via two different ports that are defined with Plurox, and the C&C address is hardcoded.
Plurox Malware Plugins
The C&C server instructs the malware to extract the information from the infected machine, and the commands are encrypted using XOR. Plurox supports for the following seven commands.
- Download and run files using WinAPI CreateProcess
- Update bot
- Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
- Download and run plugin
- Stop plugin
- Update plugin (stop the process and delete the file of the old version, load and start a new one)
- Stop and delete the plugin
The malware install’s crypto mine’s based on the system configuration, it sends the system configuration details to the C&C server, and it gets information on which plugin needs to be installed.
“The UPnP plugin modules receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. Researchers believe that this plugin can be used to attack a local network.”
Next one is the SMB plugin responsible for spreading malware over the network using the EternalBlue exploit. Based on the analysis, researchers believe the creators of Plurox and Trickster may be linked.
IoC
C&C servers
178.21[.]11.90
185.146[.]157.143
37.140[.]199.65
194.58[.]92.63
obuhov2k[.]beget[.]tech
webdynamicname[.]com
37.46[.]131.250
188.93[.]210.42
MD5
Main body
59523DD8F5CE128B68EA44ED2EDD5FCA
C4A74D79030336A0C3CF60DE2CFAE9E9
CECFD6BCFDD56B5CC1C129740EA2C524
BE591AA0E48E496B781004D0E833E261
Trickster Worm module
f233dd609821c896a4cb342cf0afe7b2
auto_proc32
2e55ae88c67b1d871049af022cc22aac
auto_proc64
b2d76d715a81862db84f216112fb6930
auto_opencl_amd32
a24fd434ffc7d3157272189753118fbf
auto_opencl_amd64
117f978f07a658bce0b5751617e9d465
auto_miner32
768857d6792ee7be1e1c5b60636501e5
auto_miner64
e8aed94c43c8c6f8218e0f2e9b57f083
upnp32
8cf5c72217c1bb48902da2c83c9ccd4e
upnp64
b2824d2007c5a1077856ae6d8192f523
smb32
6915dd5186c65891503f90e91d8716c6
smb64
cd68adc0fbd78117521b7995570333b2
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Related Read
New Android Malware that Uses Chrome to Load Malicious websites through Notifications
FIN8 Hacker Group using Highly Sophisticated ShellTea Malware to Attack Hospitality Sector
